Last updated 2026-04-30
Summary in plain English
- Voice runs locally on your Mac. Microphone audio is captured by the Aura app or binary you installed from the official DMG, Homebrew tap, or installer script and processed in your own process.
- To talk to the language model, audio (or its text transcript)
is sent over an encrypted connection to xAI through a thin
Cloudflare Worker proxy at
codexini.com. We do not store the audio or the transcript on our servers. - We collect the minimum needed to make installs and calls work: an opaque activation token, your email if you sign up for the orb account, and aggregate request counts for abuse prevention.
- We never sell, share, or use your data to train any AI model.
- The proprietary LICENSE reserves all rights; this privacy notice describes data practice within the install-and-run exception granted by that license.
What we collect
1. Anonymous activation token (AURA_TOKEN)
When you install Aura through the official DMG, Homebrew tap, or installer script, the binary ships with an activation token embedded at compile time. The token is HMAC-signed by our Cloudflare Worker and lets your Aura process call the language model through our proxy. The token does not contain your name, email, or any personal data — it is an opaque string scoped to a release.
2. Voice / text payloads in transit
When you speak, Aura streams encoded audio to xAI through
codexini.com. The Cloudflare Worker forwards the
stream and attaches the upstream API key server-side. We do not
retain the audio, the transcript, or the assistant response.
Cloudflare's standard edge logs (request count, status code,
IP-derived region, user agent) are retained for up to 30 days
for abuse prevention and then discarded.
3. Optional orb account
If you choose to associate an email with the Aura orb (the menu-bar app), that email is stored in Cloudflare D1 alongside your activation token record. It is used to identify your account if you reach out for support, recover access, or upgrade plans. You can request deletion at any time by emailing [email protected].
4. Aggregate diagnostics
The orb periodically pings codexini.com to check
for new releases. The ping carries the current Aura version so
we can prioritize the rollout. It does not include your
microphone audio, project paths, or any code.
What we don't collect
- Your local source code, file paths, or project contents.
- Your microphone audio after the call ends.
- Conversation transcripts or assistant responses.
- Browsing history, contacts, calendar, or any data outside Aura.
- Telemetry beyond version + opaque token.
Third parties
- xAI — the language model that powers Aura's voice. xAI sees the audio / text payload while the call is active; their data handling is governed by xAI's privacy policy.
- Cloudflare — runs the proxy Worker, the DNS
for
codexini.com, and Cloudflare Pages where this site lives. Their handling is governed by Cloudflare's privacy policy. - Apple — when you first launch the signed binary, macOS contacts Apple's notarization service to verify the Developer ID signature. We do not control or see that traffic.
Data location
Cloudflare Workers run at the edge near you. Aura account email, token records, and abuse-prevention counters are stored in Cloudflare D1 in Cloudflare's infrastructure. We do not maintain our own servers.
Security
All network requests use TLS. Activation tokens are HMAC-signed and verified server-side. The upstream xAI key never leaves the Cloudflare Worker — it is not bundled with the Aura binary, not available to your local process, and not exposed in any client response. If an activation token leaks, we can revoke or lock that token record server-side without exposing the upstream key.
Your choices
- Don't install. The simplest opt-out.
- Uninstall. Delete
Aura.appfrom Applications for the DMG install, or runbrew uninstall aurafor Homebrew. No background processes remain. - Delete your orb account. Email [email protected] from the address tied to the account.
- Block our endpoints. Aura makes no calls if
network access to
codexini.comand the xAI endpoints is blocked. The voice loop simply will not start.
Children
Aura is not directed at and not intended for children under 13. We do not knowingly collect data from children.
Changes
If we materially change how we handle data, we update this page and bump the date above. Material changes that affect existing users are also called out in the release notes.
Contact
Questions, requests, or anything else: [email protected].